Have Identity Certificate, can't use it

Hey everyone,

I have a valid DOD CA-11 identity certificate that doesn't expire for 2+
years. I do see it in the personal certificate store (certmgr.msc). My
problem is that neither Outlook 2003 or IE 7 recognize it.

Outlook 2003 popups a warning stating that my email account doesn't have a
valid identity certificate and IE 7 won't send my credentials when trying to
access some web sites.

I can't find anything on how to troubleshoot this or how to reset my machine
to start anew. Reformatting my machine is my last resort but I don't know if
I will resort to this if I make it that far.

Any help is appreciated.

Thanks.

"spearenb" wrote in message
news

I have a valid DOD CA-11 identity certificate that doesn't expire for
2+
years. I do see it in the personal certificate store (certmgr.msc).
My
problem is that neither Outlook 2003 or IE 7 recognize it.

Outlook 2003 popups a warning stating that my email account doesn't
have a
valid identity certificate and IE 7 won't send my credentials when
trying to
access some web sites.

I can't find anything on how to troubleshoot this or how to reset my
machine
to start anew. Reformatting my machine is my last resort but I don't
know if
I will resort to this if I make it that far.


Did you actually *install* the cert into Outlook?
In OL2002: Tools - Options - Security - Import
With freemail certs from Thawte, I don't have to do this since the
script in their HTML page handles the import. I let all my certs expire
and removed them so I don't have anything to look at right now.

Does the e-mail address specified in the cert match one of the e-mail
addresses defined in an account in Outlook?

"Vanguard" wrote:

"spearenb" wrote in message
news

I have a valid DOD CA-11 identity certificate that doesn't expire for
2+
years. I do see it in the personal certificate store (certmgr.msc).
My
problem is that neither Outlook 2003 or IE 7 recognize it.

Outlook 2003 popups a warning stating that my email account doesn't
have a
valid identity certificate and IE 7 won't send my credentials when
trying to
access some web sites.

I can't find anything on how to troubleshoot this or how to reset my
machine
to start anew. Reformatting my machine is my last resort but I don't
know if
I will resort to this if I make it that far.


Did you actually *install* the cert into Outlook?
In OL2002: Tools - Options - Security - Import
With freemail certs from Thawte, I don't have to do this since the
script in their HTML page handles the import. I let all my certs expire
and removed them so I don't have anything to look at right now.

Does the e-mail address specified in the cert match one of the e-mail
addresses defined in an account in Outlook?

Yeah, the certificate is contained on a CAC card (smart card) and the card
reader imported it into Outlook. Also, I do (did) have a certificate from
ORC that was imported at one time... and it doesn't work either. I am less
confident and not really worried about the ORC certificate though...

"spearenb" wrote in message
...


"Vanguard" wrote:

"spearenb" wrote in message
news

I have a valid DOD CA-11 identity certificate that doesn't expire
for
2+
years. I do see it in the personal certificate store
(certmgr.msc).
My
problem is that neither Outlook 2003 or IE 7 recognize it.

Outlook 2003 popups a warning stating that my email account doesn't
have a
valid identity certificate and IE 7 won't send my credentials when
trying to
access some web sites.

I can't find anything on how to troubleshoot this or how to reset
my
machine
to start anew. Reformatting my machine is my last resort but I
don't
know if
I will resort to this if I make it that far.


Did you actually *install* the cert into Outlook?
In OL2002: Tools - Options - Security - Import
With freemail certs from Thawte, I don't have to do this since the
script in their HTML page handles the import. I let all my certs
expire
and removed them so I don't have anything to look at right now.

Does the e-mail address specified in the cert match one of the e-mail
addresses defined in an account in Outlook?

Yeah, the certificate is contained on a CAC card (smart card) and the
card
reader imported it into Outlook. Also, I do (did) have a certificate
from
ORC that was imported at one time... and it doesn't work either. I am
less
confident and not really worried about the ORC certificate though...


I don't know how a card reader can do anything by itself, so I don't see
how a .pfx file on a flash card can do anything to import a certificate.
Try following the import instructions at
http://support.microsoft.com/kb/823503/en-us.

When in Outlook under the Tools - Options - Security tab, is a cert
listed in the drop-down listbox for "Default Setting"? When you click
on the Settings button, do you see any certs listed?

For IE, under Internet Options - Content - Certificates, are any
listed there? Currently I only have one listed for the EFS cert (which
cannot be used by IE for HTTPS or by an e-mail client).

When using certmgr.msc, what purposes are listed for each cert you have
installed?

"Vanguard" wrote:

I don't know how a card reader can do anything by itself, so I don't see
how a .pfx file on a flash card can do anything to import a certificate.
Try following the import instructions at
http://support.microsoft.com/kb/823503/en-us.

When using certmgr.msc, what purposes are listed for each cert you have
installed?

The reader is ActivCard Gold and it has 'register' functionality. This was
the way I put it in the Personal/Certificates area of the certmgr.msc app.

Speaking of which, properties for the certificate include the S/MIME signing
with a Yes.


When in Outlook under the Tools - Options - Security tab, is a cert
listed in the drop-down listbox for "Default Setting"? When you click
on the Settings button, do you see any certs listed?


Yes, I do have an entry for this certificate. I was able to select it in
the Change Security Settings window


For IE, under Internet Options - Content - Certificates, are any
listed there? Currently I only have one listed for the EFS cert (which
cannot be used by IE for HTTPS or by an e-mail client).

Yes, I see it in there.

I read up some on the cert you mention having, like at
http://www.verisign.com/repository/cps/dod/ieca-cps.pdf. I don't see
that it is used for SSL connects or for e-mail.

Have you checked at the CA that issued the cert to make sure it hasn't
been revoked? You statements in your first post make it appear that you
think you still have a valid cert but that perhaps you are no longer
employed with the DOD yet still think you can identify yourself from
there. I don't know who is the CA for your cert. If it is Verisign
cert, see if you can check its status at:

Class 1 cert: https://digitalid.verisign.com/servi...ent/index.html
ECA cert: https://eca.verisign.com/client/revoke.htm


Did you check what the usages were listed for that cert?

I found some articles at Verisign regarding support, like:

http://www.verisign.com/support/eca-support/index.html
http://www.verisign.com/verisign-bus...all/index.html
http://www.verisign.com/support/digi...dev029379.html
http://www.verisign.com/support/eca-support/index.html
http://www.verisign.com/static/037901.pdf

OK, I have some egg on my face here.....

After calling the DISA support line, I have found out that I ONLY have an ID
certificate on my card. I don't have an email or encryption certificate.

On the other hand, I was able to install my ORC certificates (meaning I
remembered my passwords) so I have an ID and encryption certificate that I
can use for email.

I think my confusion is that the ID certificates from the different
organizations are not the same. I thought the ID cert from DISA would be
akin to the ID cert from ORC and therefore, be used for email.

Anyway, Vanguard, thanks for your help. Case Closed.

"Vanguard" wrote:

I read up some on the cert you mention having, like at
http://www.verisign.com/repository/cps/dod/ieca-cps.pdf. I don't see
that it is used for SSL connects or for e-mail.

Have you checked at the CA that issued the cert to make sure it hasn't
been revoked? You statements in your first post make it appear that you
think you still have a valid cert but that perhaps you are no longer
employed with the DOD yet still think you can identify yourself from
there. I don't know who is the CA for your cert. If it is Verisign
cert, see if you can check its status at:

Class 1 cert: https://digitalid.verisign.com/servi...ent/index.html
ECA cert: https://eca.verisign.com/client/revoke.htm


Did you check what the usages were listed for that cert?

I found some articles at Verisign regarding support, like:

http://www.verisign.com/support/eca-support/index.html
http://www.verisign.com/verisign-bus...all/index.html
http://www.verisign.com/support/digi...dev029379.html
http://www.verisign.com/support/eca-support/index.html
http://www.verisign.com/static/037901.pdf